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SOFTWARE INTEGRITY TEST 

TECHNICAL FIELD 

The present invention relates to a method and 
arrangements for enabling integrity checking of software 
modules in a mobile communication system software 
5 environment . 

BACKGROUND 

Present day intelligent mobile communication devices have 
evolved from a first generation of digital mobile 
telephones that were capable of not much more than 

10 conveying voice conversations in real time. Now the 

devices are capable of communicating in packet switched 
high speed digital mobile networks and capable of 
processing and presenting data in much the same manner as 
a personal computer. The field of use now includes a 

15 diverse number of types of applications, among which 
games and electronic commerce are only two. 

Needless to say, in order to provide users of these 
terminals with suitable software for use in such 
applications, there is a need for the terminals to be 

20 able to download software written by third party software 
developers as well as the terminal manufacturer. This can 
be achieved by way of removable memory units on which 
software modules can be stored. An example of such a 
removable memory unit is the Multi Media Card (MMC) , 

25 which has become a standard for many applications in the 
field of portable intelligent devices. 

There is, however, a problem with removable memory units 
such as a MMC. Because of the fact that the memory unit 
cam be removed from the communication device, it is 
30 possible to alter the content / using e,g, a PC, and then 
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re -insert it into the terminal and operate the terminal 
with modified software. Such alterations may be innocent 
enough. However, in many situations it is essential that 
the integrity of the software is maintained from the 
5 provider of the software. Needless to say, software 

relating to, e.g., electronic commerce is of a kind that 
relies on integrity. 

Therefore, there is a need of a system which tests for 
the integrity of the software before the software is 

10 allowed to take control of the coxnmunication terminal . In 
one example of prior art systems, the Symbian system, 
this is solved by way of storing inside a protected 
storage area in the terminal, a cryptographic hash of the 
software that is to be run by processing means in the 

15 terminal. Each time the software is to be activated, i.e. 
run in the terminal, a hash calculation is performed on 
the software data and if the calculated hash does not 
match a hash value already stored in the terminal, the 
software will not be run. 

20 However, this Symbian solution has a drawback in that it 
is not very flexible^ when a user of the terminal wish to 
download additional software applications that have not 
been subject to the integrity check involving the storage 
of a hash value in the terminal. Since the additional 

25 software has been stored on the removable memory unit by, 
e.g., a third party, software provider at the time when a 
user has already obtained the terminal from a terminal 
provider and the software being intended for use on any 
terminal, there can be no record of the specific software 

30 (i.e. no hash value) in the terminal itself. Therefore, 
there exist a problem of the software not being allowed 
to run on the terminal or, as the case may be, can be run 
only as, e.g,, ^'non- trusted" with less than normal 
capabilities to operate the terminal. 
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SUMMARY OF THE INVENTION 

It is hence an object of the present invention to provide 
a solution to a problem related to the lack of 
flexibility of prior art as indicated above. 

5 The object is achieved by way of a method for enabling 
integrity checking of a software module to be used in a 
mobile communication terminal according to claim l and a 
mobile communication terminal according to claim 6« 

The invention provides a method and a mobile communi- 
10 cation terminal for enabling integrity checking of a 

software module to be used in the terminal. The terminal 
is capable of communicating in a mobile communication 
system and the software module is stored on a removable 
memory unit connected to the terminal . The terminal 
15 communicates via the mobile communication system with the 
software provider. During the communication a digitally 
signed data block comprising a reference value for use 
during integrity checking of said software module is 
received. 

20 In some more detail, according to a preferred embodiment 
of the invention, the method commences by a hashing step 
during which the software module itself is subject to a 
hashing step, resulting in a first hash value. 

Then is performed transmission of the first hash value as 
25 well as a first identifier, which is associated with the 
memory unit in the form of, e.g., a unit serial number or 
a software module identification code. A second 
identifier^ which is associated with the terminal in the 
form of, e.g., a terminal serial number, is also 
30 transmitted- The transmission is performed via the mobile 
communication system to a provider of the software 
module . 

The method continues with the step of receiving, from the 
provider of the software module, a data block comprising 
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a digital signature and further data- The further data is 
associated with the memory unit and the terminal and may, 
e.g., be in the form of the first and the second 
identif ier. 

5 After the reception of the data block, this is subject to 
a step of analysis. The analysis conprises a verification 
of the digital signature and coniparison of said further 
data with said first and second identifiers. 

The received data block comprising the signature is then 
10 stored, thereby providing a reference value for use 
during integrity checking of the software module. 

In other words, an effect of the invention. is that, when 
a memory \anit, such as a MMC card, is inserted to the 
device, it is ^tagged'' to the extent that the memory unit 

15 is usable only in connection with the terminal in which 
it was initially connected to. After this "tagging" 
action, simply copying all software or data that is 
stored on the card onto another memory unit does not 
enable another terminal to make full use of the software. 

20 That is, the only combination of hardware and software 

that will result in the device accepting the software is 
the combination of the unaltered version of the software 
module, the original memory module and the device with 
which it was tagged. 

25 An advantage of the invention is that it is more flexible 
than prior art integrity checking solutions where the 
integrity checking involves use of information that is 
already stored in a protected storage area of the 
terminal . 

30 Another advantage of the invention is that it allows 

reliable copy protection of a software module, since a 
user terminal into which a software module is to be 
loaded communicates with a provider of the software and, 
in effect, asks for permission to use the module. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows schematically a block view of a mobile 
communication system including an embodiment of an mobile 
communication terminal according to the present 
5 invention. 

Figure 2 shows a flow chart of an embodiment of a method 
according to the present invention. 

Figure 3 shows a flow chart of an integrity checking 
procedure , 

10 PREFERRED EMBODIMENTS 

Below will follow a description of a method for enabling 
integrity checking according to the present invention. 
The embodiment is illustrated by way of a schematical 
view of a communication system. 100 in figure 1 and flow 
15 charts in figure 2 and 3. 

The communication system 100 conprises a mobile 
communication terminal" 101, which includes a number of 
means for operating the terminal in the system 100. A 
processing unit 105 is connected via a bus 106 to a 

20 removable memory unit 103, an internal memory unit 107, 
an input/output unit 109 and a radio transceiver unit 
115. The input/output unit 109 in turn convey information 
from a keyboard 111 and a display 113. The radio 
transceiver unit 115 is capable of establishing a radio 

25 connection with a radio base station 119 via an air 
interface 117 in a radio communication network 121, 
Information is exchanged between the terminal 101 and a 
software provider server 125 having a database 127 via a 
data communication network 123 that is connected to the 

30 radio communication network 121. 

As the person skilled in the art will realize from the 
description, the embodiment is one that is implemented on 
a Symbian platform, which is in use in a number of mobile 
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communication terminals, such as the terminal 101 
described above, from a multitude of manufacturers. 
Moreover, the embodiment of the method utilizes a 
removable software module, such as the removable memory 
5 unit 103 in figure 1, in the form of a Mulhi Media Card 
(MMC) , also known to the person skilled in the art. 
However, it shall be stressed that the invention is not 
limited to implementation in a Symbian system using a MMC 
card. Other combinations of hardware and software 
10 platforms are possible, as the person skilled in the art 
will realize. 

Referring now to figure 1 and 2, when a removable memory 
card 103 is inserted into a Symbian platform security 
enabled device, i.e. the terminal 101, a software 
15 installation file is executed. The installation software 
may reside either on the MMC card or in the device 
itself. 

In an initial hashing step 201, the installation function 
hashes the executables, i.e. the software module, on the 
20 MMC card 103 along with the MMC serial number of the MMC 
card 103. 

In an transmission step 203 the installation file sends 
the international mobile station equipment identity 
(IMEI) code of the terminal 101, the MMC serial number of 
25 the removable memory unit 103 and the hash value 

resulting from the hashing step 201, via the mobile 
communication system 100 to the receiving server 125 at 
the software provider. 

Then, in a checking step 205, the software provider 
3 0 checks if it really is the true issuer or provider of a 
MMC 103 with this MMC serial number, containing the 
software module corresponding to the first hash value. In 
other words, it is made sure that the received first hash- 
value matches a hash value of a software module provided 
35 by the provider. If the check is successful, the provider 
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digitally signs the received information and retuims the 
result in a key file to the terminal 101 via the mobile 
communication system 100. 

In a storage step 207, the software provider server 125 
5 stores the MMC serial number relationship in its database 
127. This will have the effect that the software provider 
will not sign any other, i.e. later, request for the same 
MMC serial number and same software module, and thereby 
''tagging" the software module as discussed above. 

10 The key file arrives in a reception step 209 in the 

mobile communication terminal 101 and is passed on to the 
software installation software function running in the 
terminal 101, which is running with full privileges. 

In a verification step 211 the signature on the key file 
15 is verified and a check is made in a checking step 213 
that the IMEI code matches the IMEI code of the device. 
The software installation function also compares, in a 
con^arison step 215, the MMC serial number in the 
received key file and the MMC serial number of the 
20 currently connected MMC card 103. 

The signed key file is then stored, in a storage step 
217, into the Symbian platform security MMC integrity 
protection registry, preferably realized in the internal 
memory 107 of the terminal 101. 

25 As a contrast to prior art, where this is done when 
installing software on the MMC 103, now the software 
providers software data populates the registry just as if 
the files had been installed on the MMC 103. But since 
they are already present there, the only action that is 

30 performed is populating the integrity registry. 

At this point, integrity checking of the software is 
enabled. Hence, when starting a program from the MMC 103 
a check for integrity can be performed according to, 
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e.g., the following steps, continuing with reference to 
figure 3. 

In a hashing step 301, the platform security system, i.e. 
Sytnbian software functions, hashes the target executable. 
5 It notices that this hash was inserted in this special 
fashion, and also hashes the MMC serial number of the 
currently inserted MMC card 103 with the executable. 

In a checking step 303 a check is made whether or not the 
hash value matches the previously stored hash value in 
10 the signed key file. A check is also made whether the MMC 
identifier matches the stored signed identifier in the 
key file. If the values match, the executable code is 
allowed to rxin on the terminal 101, as indicated by the 
execution step 305. 

15 The invention as described above provides a simple and 
effective way of enabling integrity check of a software 
module. For exanple, if the software module stored in the 
removable memory unit 103, e.g. a MMC, has been copied 
onto another MMC and that other MMC is inserted to a 

20 terminal 101 that has been tagged with the original MMC, 
it's unique MMC serial number is not the same. Hash 
verification fails and the software module will not be 
allowed to run. 

Also, if the MMC is connected to a second terminal (not 
25 shown) after it has been ^^tagged" when initially 

connected to a first terminal 101, the software provider 
will not sign the request for a signed key file. 

Also, if the MMC is copied before ''tagging^ it, the MMC 
serial number of the card that it has been copied onto 
30 (not shown) is not in the software provider server 

database 127 of sold cards, so the software provider will 
not honour the MMC serial number. 

Also/ if a ^^Boftware pirate" is producing a plurality of 
cards (not shown) with one and the same MMC serial 
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number, only the first "tagging" request is honoured by 
the software provider. 

Finally, the signed reply from the software provider (the 
tagging message, i.e. the key file) cannot be forged 
5 because it contains the IMEI of the target mobile 
terminal and is signed by the software provider. 



•'• ' ' -"'I V •.■••1 >• .N :v.' -^.n-.i-.-.K'. '.Jii'! • «. .j^... |.T,i,^i.> .-.^ , ,. •, . (-. ;: .<•. . 



08/11 "02 VEN 14:01 (N° TX/RX 5496] 



8. NOV2002 14:05 



AWAPATENT_+4684409550 



10 
CLAIMS 

1. A method for enabling integrity checking of a software 
module to be used in a mobile communication terminal, 
said terminal capable of communicating in a mobile 
5 communication system, said software module being stored 
on a removable memory xinit connected to the terminal, 
said method characterized in that the terminal 
communicates via the mobile communication system with the 
software provider, said communication including reception 
10 of a digitally signed data block comprising a reference 
value for use during integrity checking of said software 
module, 

2, A method according to claim 1, comprising the steps 
of: 

15 - hashing the software module, resulting in a first 

hash value, 

- transmitting a first identifier, associated with 
the memory unit, a second identifier, associated with the 
terminal and the first hash value via the mobile 

20 communication system to a provider of the software 
module , 

- receiving, from the provider of the software 
module, a data block comprising a digital signature and 
further data associated with the memory unit and the 

25 terminal, 

- analysing the received data block, comprising 
verification of the digital signature and comparison of 
said further data with said first and second identifiers, 

- storing the received data block comprising the 
30 digital signature, thereby providing a reference value 

for use during integrity checking of said software 
module , 

3. A method according to claim 2, where the transmission 
of the first identifier includes transmission of a memory 
35 unit serial number. 
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4. A method according to claim 2, where the transmission 
of the first identifier includes transmission of a 
software module identification number. 

5. A method according to any one of claims 2-4, where the 
5 transmission of the second identifier includes 

transmission of an international mobile station equipment 
identity code. 

6. A mobile coinmunication terminal, comprising means for 
enabling integrity checking of a software module to be 

10 used in the terminal, said terminal capable of 

communicating in a mobile communication system, said 
software module being stored on a removable memory unit 
connected to the terminal, said terminal 
characterized in that it comprises means for 

15 communicating via the mobile communication system with 
the software provider, said means for communication 
including means for receiving a digitally signed data 
block coiiqprising a reference value for use in means for 
integrity checking of said software module. 

20 7. A terminal according to claim 6, comprising: 

- means for hashing the software module, arranged to 
provide a first hash value, 

- means for transmitting a first identifier, 
associated with the memory unit, a second identifier, 

25 associated with the terminal and. the first hash value via 
the mobile communication system to a provider of the 
software module, 

- means for receiving, from the provider of the 
software module, a data block conprising a digital 

30 signature and further data associated with the memory 
unit and the terminal, 

- means for analysing the received data block, 
comprising means for verification of the digital 
signature and comparison of said further data with said 

35 first and second identifiers. 
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- means for storing the received data block 
comprising the digital signature, arranged to provide a 
reference value for use during integrity checking of said 
software module. 

8. A terminal according to claim i, where the means for 
transmitting the first identifier includes means for 
transmitting a memory unit serial number. 

9. A terminal according to claim 7, where the means for 
transmitting the first identifier includes means for 
transmitting a software module identification number. 

10. A terminal according to any one of claims 7-9, where 
the means for transmitting the second identifier includes 
means for transmitting an international mobile station 
equipment identity code. 
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ABSTRACT 

Integrity checking of a software module to be used in a 
mobile communication terminal (101) is illustrated. The 
terminal (101) ie capable of communicating in a mobile 
5 communication system (100) and the software module is 
stored on a removable memory unit (103) connected to the 
terminal (101) , The terminal (101) communicates via the 
mobile communication system (100) with the software 
provider (125) . During the communication a digitally 
10 signed data block comprising a reference value for use 
during integrity checking of said software module is 
received. 

Figure 1 for publication 

15 
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